SSL Certificate Thumbprint Mismatch Error in Site Recovery Manager after vCenter Certificate replacement
search cancel

SSL Certificate Thumbprint Mismatch Error in Site Recovery Manager after vCenter Certificate replacement

book

Article ID: 320615

calendar_today

Updated On:

Products

VMware Live Recovery VMware vCenter Server

Issue/Introduction

  • SRM (Site Recovery Manager) tries to connect to old thumbprints of vCenter server or SRM and it fails with thumbprint mismatch error.

  • SRM server shows "Not connected" on Site Recovery page, "Reconnect" from Site Recovery UI may fail or be successful but status still shows "Not Connected".


    "SRM Server cannot connect to SRM Server at 'https://####:443/drserver/vcdr/vmomi/sdk". SRM server #### cannot validate SSL certificate from server at ####:443. The remote host certificate has these problems: Unknown SSL certificate error."

  • Another way the Site Recovery - Site Pair page may look like:

    The local SRM shows Remote SRM connection as "Not connected" and the target SRM shows "Unknown". The target SRM server also shows as "unknown:9086".

  • The below error message may also be seen on Site Recovery page:


    "Unable to connect to Lookup Service at https://####:443/lookupservice/sdk. Reason: javax.net.ssl.SSLException: Certificate thumbprint mismatch."

 

  • Another error may appear once you hit Site Recovery from VC:

 

"...CertificateValidationException: server certificate is not trusted and thumbprint verification is not configured"

Steps To Validate:

  • In the SRM /opt/vmware/support/logs/srm/vmware-dr.log the below entries can be seen:

    "SSL Exception: Verification parameters:
    --> PeerThumbprint: XX:XX:XX:XX:XX:XX:XX
    --> ExpectedThumbprint: XX:XX:XX:XX:XX:ZZ
    --> The remote host certificate has these problems:
    -->
    --> * unable to get local issuer certificate"
  • The log entry above indicates that the database contains stale thumbprints, as it reports a different "PeerThumbprint" and "ExpectedThumbprint".

Environment

VMware Site Recovery Manager 8.x

VMware Live Site Recovery 9.x

Cause

  • Incorrect thumbprints on SRM Database tables is the cause of this issue.

  • A sync issue may occur if the SRM hostname differs from the real name listed in the certificate. This preserves outdated entries and does not update thumbprints.

  • Thumbprints may fail if SRM is upgraded at any point while vCenter is out of sync.

Resolution

To resolve the thumbprint mismatch issue, use the lsdoctor script as follows:

  1. Download the lsdoctor script from KB-80469
  2. Upload the script to the vCenter Server.
  3. Navigate to the directory where the script was uploaded.
  4. Extract the contents of the ZIP file:
    • unzip lsdoctor.zip
  5. Run the following command to fix the thumbprint mismatch:
    • python lsdoctor.py --trustfix
  6. After executing the script, restart the vCenter services to complete the fix.
    • service-control --stop --all && service-control --start --all

If the issue persists after running the script, or if the symptoms and issue described above match your scenario but the resolution steps do not help, please contact Broadcom Support for further investigation and assistance.

 

Powered by Wolken Software